Barracuda suddenly started urging its ESG customers to immediately replace devices
Recently Barracuda Networks (a company that provides security, networking and storage products based on network devices and cloud services) disclosed that has been unable to solve a failure andn their ESG devices, for which asks customers to replace devices, even if the hardware has been patched.
He announced the need to physically replace ESG devices, ands because they are affected by malware as a result of a 0 day vulnerability in the email attachment processing module.
Previously released patches are reportedly not enough to block the installation problem and about it details have not been disclosed, but the decision to replace the hardware is presumably due to an attack installed malware at a low level and could not be removed by flashing or factory reset.
The vendor's warning comes two weeks after Barracuda initially disclosed the remote command injection vulnerability. tracked as CVE-2023-2868. An incident response investigation with Mandiant revealed that data exfiltration had occurred and malware containing a backdoor had been installed on some email security gateway (ESG) devices. The investigation also found that the 0 day vulnerability had been exploited since October 2022.
For those of you who are unaware of ESG appliances, you should know that it is a bundle of hardware and software to protect business email from attacks, spam, and viruses.
About the problem, it is reported that the analysis showed that the devices were compromised via an unpatched vulnerability (CVE-2023-28681), which allows even an attacker to execute your code by sending a specially crafted email.
The issue was due to a lack of proper validation of filenames within tarballs sent in email attachments, and allowed an arbitrary command to be executed on a high system, preventing escape when executing code a via the Perl operator "qx " .
Vulnerability is present in separately supplied ESG devices with firmware versions from 5.1.3.001 to 9.2.0.006 inclusive. Exploitation of the vulnerability has been tracked since October 2022 and until May 2023 the issue went unrecognized. The attackers used the vulnerability to install several types of malware on the gateways: SALTWATER, SEASPY, and SEASIDE, which provide external access to the device and are used to intercept sensitive data.
- The SALTWATER backdoor was designed as a mod_udp.so module for the bsmtpd SMTP process and allowed arbitrary files to be uploaded and executed on the system, as well as send proxy requests and funnel traffic to an external server. To gain control in the backdoor, we used the interception of the send, recv and close system calls.
- The SEASIDE malicious component was written in Lua, installed as a mod_require_helo.lua module for the SMTP server, and was responsible for monitoring incoming HELO/EHLO commands, detecting C&C server requests, and determining parameters to launch the reverse shell.
- SEASPY was a BarracudaMailService executable installed as a system service. The service used a PCAP-based filter to monitor traffic on network ports 25 (SMTP) and 587 and triggered a backdoor when a packet with a special sequence was detected.
Finally, Barracuda encourages users to replace access keys and credentials that have crossed with Barracuda ESG, such as those associated with LDAP/AD and Barracuda Cloud Control. According to preliminary data, there are around 11 ESG devices on the network using the Barracuda Networks Spam Firewall's smtpd service, which is used in the Email Security Gateway.
About the replacement of the devices, the team mentions that sand will perform free of charge, but compensation for the cost of delivery and replacement work is not specified. If you are interested in knowing more about it, you can consult the details In the following link.